In our daily lives we try to protect ourselves from the worst. We buy insurance for our cars, homes and health and we safeguard personal information. Shouldn't business owners and IT managers treat their networks and critical infrastructure the same way?
According to Gartner, the majority of small and midsize businesses (SMB) under-invest in business continuity and disaster recovery planning. Gartner estimates only 35 percent of SMBs have a comprehensive disaster-recovery plan and fewer than 10 percent have crisis management, contingency, business recovery and business resumption plans.
For SMBs, it is critical to implement a disaster-recovery plan. According to Gartner, two out of five businesses that experience a disaster go out of business within five years. Moreover, disasters happen more frequently than you think because 80 percent of application downtime is caused by people or processes failures not disasters or technology failure.
Establish a downtime threshold
When building a disaster-recovery plan, the first objective should be to decide the recovery point objective (RPO) and recovery time objective (RTO). The RPO dictates the allowable data loss, while the RTO is the amount of time applications can afford to be down -- the maximum tolerable outage.
If a disaster occurs, how much time can your business afford to lose? An hour? A day? A week? An organization that requires immediate recovery will need to budget significantly more funds for disaster recovery than an organization that can afford to be down for a few days. In the same fashion, a tight RPO is expensive, but SMBs must weigh preventative expenditures against the potentially exorbitant cost of significant data loss. Identifying the RPO and RTO will help you allocate the appropriate resources.
If a business has difficulty establishing the RPO and RTO, a business impact analysis (BIA) can help. The basic assumption behind a BIA is that every element of the organization relies upon the continued operation of every other element, but some elements are more crucial than others. The BIA prioritizes mission-critical data and systems and helps organizations allocate the appropriate resources for each component in case of a cataclysmic event. The BIA can also show IT managers and SMB owners alike how much money they could lose by not implementing a disaster-recovery plan.
Build the disaster-recovery plan
When the RPO and RTO are established, you are ready to build a disaster-recovery plan. As you build the plan, keep these best practices top of mind:
-- Involve all organizational stakeholders, not just IT. For example, the human resources department plays a critical role in training employees on the disaster-recovery plan and communicating the disaster-recovery plan, so they should participate in development. Chief executives and other top managers are essential to securing disaster-recovery funding and organizational buy-in. If you lease your building, the property manager should be apprised of your plan. Further, it may be a good idea to inform local law enforcement of the plan. It is critical to involve all stakeholders in the planning and implementation.
-- Prevent data silos: It may be convenient to save documents to the desktop, but it is a bad habit for employees. Individual computer hard drives often are not backed up by IT, so implement a central server to prevent headaches and train all employees to use it exclusively.